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One  purpose  of  this  Audit  Advisory  is  to 
re-cap  the  results  of  recent  audits  so  that 
agencies  can  anticipate  and  address 
deficiencies  that  have  been  identified  by  the 
auditors.  Some  deficiencies,  such  as  a lack 
of  timeliness  and  accuracy  in  financial 
reporting  and  failure  to  monitor  grant 
subrecipients,  represent  areas  that  continue 
to  be  repeated  as  insufficient  progress  has 
been  made.  Other  areas,  such  as  the  failure  to 
adequately  protect  confidential  information, 
are  new  or  evolving  issues  that  should  be 
recognized  and  rectified  by  State  agencies 
before  they  become  significant  problems. 

Another  purpose  of  this  Audit  Advisory  is 
to  highlight  new  accounting  standards  that 
will  impact  State  government.  For  instance, 
effective  in  FY08,  State  agencies  will  have  to 
comply  with  Governmental  Accounting 
Standards  Board  (GASB)  Statement  No.  45: 
Accounting  and  Financial  Reporting  by 
Employers  for  Postemployment  Benefits 
Other  Than  Pensions.  Essentially,  Statement 
No.  45  will  require  governments  to  report  the 
costs  and  obligations  associated  with  health 
and  other  benefits  similar  to  how  they  now 
report  costs  and  obligations  associated  with 
pension  plans.  While  Statement  No.  45 
allows  employers  to  continue  to  fund  these 
other  postemployment  benefits  (OPEB)  on  a 
pay-as-you-go  basis,  under  the  new 
Statement  employers  will  be  forced  to 
monitor  and  report  on  unfiinded  liabilities 
associated  with  OPEBs.  As  a result, 
governments  with  large  unfunded  OPEB 
liabilities  may  find  their  credit  ratings  and 
interest  costs  negatively  affected. 


Understanding  this  and  other  items  in  this 
Audit  Advisory  will  be  useful  as  you  go 
about  fulfilling  your  obligationj^elated  to 
financial  reporting,  internaj/controls  and 
statutory  compliance. 


WILLIAM  G.  HOLLAND 
September  2006 


STATEWIDE  SINGLE  AUDIT  FOR  FY2005 


Illinois  implemented  its  Statewide  Single 
Audit  in  FY2()00.  Circular  A- 133,  issued 
by  the  federal  Office  of  Management 
and  Budget  (0MB),  requires  the  State  to 
prepare  an  annual  report  of  federal  e.xpen- 
ditures  that  includes  all  agencies  that  make 
up  its  “primary  unit  of  government.”  Prior 
to  2000,  the  Auditor  General’s  Office 
conducted  individual  single  audits  of  State 
agencies  receiving  federal  funds. 

The  State’s  FY2005  Statewide  Single 
Audit  reported  that  43  agencies  expended 
$15.9  billion  of  federal  financial  assistance. 
The  2005  Single  Audit  examined  53 
federal  programs  having  expenditures 
totaling  $15.1  billion  (or  95%  of  all 
federal  funds).  To  illustrate  the  growth  of 
the  Statewide  Single  Audit  program,  the 
FY2000  Single  Audit  examined  41  federal 
programs  expending  $10.5  billion  of 
federal  assistance,  or  93%  of  the  $11.3 
billion  in  federal  funds  received  in 
FY  2000. 

A myriad  of  factors  have  delayed  the 
completion  of  the  Statewide  Single  Audit 
in  recent  years.  Many  of  these  same  factors 
have  also  resulted  in  delays  in  completing 
the  Statewide  financial  statements.  The 
Statewide  tlnancial  statements  need  to  be 
completed  before  the  Schedule  of 
Expenditures  of  Federal  Awards  (SEFA) 


can  be  finalized,  which  is  the  financial 
schedule  included  in  the  Single  Audit 
reporting  package  submitted  to  the  Federal 
Audit  Clearinghouse. 

Some  of  the  factors  that  impact  the 
timely  completion  of  the  Statewide  Single 
Audit  include: 

• The  number  of  programs  not  receiving 
an  unqualified  opinion  (i.e.,  received 
either  an  adverse,  disclaimer  or  a 
qualified  opinion)  has  grown  from  7 in 
FY2000  to  17  in  FY2005.  The  total 
expenditures  in  FY2005  not  having 
unqualified  opinions  totaled  $9.0 
billion  or  57%  of  the  total  SEFA 
expenditures  of  $15.9  billion. 

• Beginning  in  FY2003,  the  Single 
Audit’s  (and  the  State’s  financial  state- 
ments for  the  State  of  Illinois)  SEFA 
disclosed  reportable  conditions  in 
internal  control.  Accuracy  of  the  origi- 
nal amounts  being  reported  by  certain 
agencies  to  the  State  Comptroller  in  its 
annual  GAAP  package  reporting 
process  have  multiple  errors  such  as: 

♦ Incorrect  Catalog  of  Federal 
Domestie  Assistanee  (CFDA) 
numbers. 

♦ Incorrect  program  names  or 
incorrect  or  missing  information 
on  the  forms. 


See  SINGLE  A UDI T on  Page  2 

COMMON  SINGLE  AUDIT  FINDING: 
INADEQUATE  SUBRECIPIENT  MONITORING 

One  of  the  more  prevalent  findings  pertains  to  agencies  failing  to  fulfill  their 
responsibilities  as  a “pass  through”  entity  when  issuing  sub-grants.  The  FY2005 
Single  Audit  included  24  findings  related  to  this  problem  area.  The  issues  cover 
items  such  as: 

• Not  using  a risk  assessment  approach  in  their  monitoring. 

• Failure  to  monitor  subrecipient  cash  management. 

• Failure  to  timely  review  0MB  Circular  A- 1 33  reports  when  received 
(or  failure  of  subrecipients  to  provide  reports). 

• Not  verifying  if  subrecipient  has  adequately  detemiined  its  major  programs. 

• Not  conducting  programmatic  and  fiscal  review  (to  include  on-site  visits). 

• Failure  to  infonn  the  subrecipient  that  the  award  includes  a federal  program, 
the  CFDA  #,  and  program  name. 
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SINGLE  AUDIT 

Continued  from  page  1 

♦ Failure  to  include  the  subrecipient 
payment  amounts  on  the  form. 

♦ Infomiation  reported  on  the  form 
does  not  agree  with  other  infonna- 
tion  provided  by  the  agency. 

♦ Infomiation  does  not  agree  with 
agency’s  grant  award  and/or  grant 
award  ledger. 

♦ Listing  of  payments  by  sub- 
recipient is  either  missing  or  does 
not  agree  with  the  amount  reported 
on  the  form. 


These  inaccuracies  are  documented  by 
changes  made  by  the  State 
Comptroller’s  Office  in  its  review  of 
the  GAAP  accounting  forms  and  the 
OAG’s  annual  financial  audits  and 
attestation  engagements  of  state 
agencies. 

Agencies  do  not  finalize  certain 
spending  allocations  until  4 to  6 
months  after  year-end.  The  delay  in 
finalizing  spending  allocations  results 
in  delays  in  the  State’s  completion  of 
the  financial  statements  and  SEFA,  as 
well  as  delays  in  completion  of  the 
Statewide  Single  Audit. 


• Delays  in  receiving  the  llnal  SFJ'A 
data  file  from  State  Comptroller  of 
adjusted  and/or  corrected  federal 
expenditures  and  information  gathered 
during  the  financial  statement  prepara- 
tion process  and  needed  for  compiling 
the  SEFA.  For  example,  the  OAG  did 
not  receive  the  final  FY2()05  data  file 
to  compile  the  State’s  SEFA  until  May 
16,  2006. 

State  agencies  need  to  continue  to  work 
to  address  the  issues  identified  above  so 
that  Illinois  can  timely  report  on  its  use  of 
federal  assistance.  ■ 


NOTIFICATION  REQUIREMENTS: 
PERSONAL  INFORMATION  PROTECTION  ACT 


Too  frequently  there  are  headlines  about 
personal  information  being  inappropriately 
disclosed  by  a private  or  governmental 
entity.  State  agencies  routinely  receive 
personal  infomiation  as  part  of  carrv  ing  out 
their  programs.  Along  with  the  authority  to 
receive  personal  and  confidential  infomia- 
tion conies  the  responsibility  to  ensure  it  is 
adequately  safeguarded  and  to  prevent  its 
unauthorized  disclosure. 

On  January  1,  2006,  the  Personal 
Information  Protection  Act  became  effec- 
tive. The  Act  requires  notification  of  Illinois 
residents  if  the  security  over  their  personal 
information  is  breached  (815  I ECS  530/). 
Public  Act  94-947  recently  amended  the  Act 
to  establish  requirements  specifically  for 
State  agencies. 

Per  the  Act,  personal  information  means 
an  individual’s  first  name  or  first  initial  and 
last  name  in  combination  with  any  one  or 
more  ol' the  following  data  elements,  when 
either  the  name  or  the  data  elements  are  not 


encrypted  or  redacted: 

1 . Social  Security  number. 

2.  Driver’s  license  number  or  State 
identification  card  number. 

3.  Account  number  or  credit  or  debit  card 
number,  or  an  account  number  or  credit 
card  number  in  combination  with  any 
required  security  code,  access  code,  or 
password  that  would  permit  access  to  an 
individual’s  financial  account. 

The  Act  states,  "Any  State  agency  that 
collects  personal  information  concerning  an 
Illinois  resident  shall  notify  the  resident  at 
no  charge  that  there  has  been  a breach  of 
the  security'  of  the  system  data  or  written 
material  following  discovery  or  notification 
of  the  breach.  ” The  Act  goes  on  to  provide 
guidance  as  to  how  that  notification  should 
occur.  The  Act  also  requires  that  a State 
agency  that  has  had  a breach  of  security 
shall  submit  a report  within  five  business 
days  of  the  discovery  or  notification  of  the 
breach  to  the  General  Assembly  listing  the 


breaches  and  outlining  any  corrective 
measures  that  have  been  taken  to  prevent 
future  breaches. 

Finally,  the  Act  addresses  State  agencies’ 
safe  disposal  of  infomiation.  The  Act  states, 
"Any  State  agency  that  collects  personal 
data  that  is  no  longer  needed  or  stored  at  the 
agency  shall  dispose  of  the  personal  data  or 
written  material  it  has  collected  in  such  a 
manner  as  to  ensure  the  security  and 
con  fidentiality’  of  the  material.  ” 

To  prevent  the  disclosure  of  personal 
information  (or  any  confidential  informa- 
tion), we  recommend  that  State  agencies 
identify  all  personal  and  confidential  data 
and  ensure  that  it  is  properly  secured.  The 
Act  promotes  the  redaction  (delete  or 
remove  data;  e.g.,  only  retain  the  last  4 
characters  of  a SSN)  or  encryption  (transla- 
tion of  data  into  an  unreadable  format)  of 
such  information.  Information  on  the  State’s 
Digital  Signature  (encryption)  project  can  be 
found  at  http://www.illinois.gov/pki/.  ■ 


PAYMENT  CARD  INDUSTRY  (PCI)  DATA  SECURITY  STANDARDS 


State  agencies  increasingly  accept  credit 
cards  (or  other  payment  cards)  from  the  pub- 
lic to  perform  routine  payment  transactions. 
Recent  news  stories  have  called  attention  to 
the  rising  incidence  of  stolen  cardholder  data. 
To  combat  this  growing  problem,  the 
Payment  Card  Industry  (PCI)  Data  Security 
Standards  were  developed  to  govern  the 
safekeeping  of  aecount  information. 

The  follow  ing  are  some  of  the  requirements 
of  the  PCI  Data  Security  Standards: 

• Build  and  maintain  a secure  network. 

• Protect  cardholder  data. 

• Maintain  a vulnerability  management 
program. 
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• Implement  strong  access  control 
measures. 

• Regularly  monitor  and  test  networks. 

• Maintain  an  ini'orniation  security  policy. 

The  PCI  Data  Security  Requirements  apply 
to  all  entities  that  store,  process,  or  transmit 
cardholder  data.  Cardholder  data  is  any  per- 
sonally identifiable  data  associated  with  a 
cardholder.  Thus,  State  agencies  that  accept 
payment  cards  (even  if  they  use  a service 
prov  ider  and  do  not  store,  process,  or  trans- 
mit data)  have  a responsibility  to  ensure  that 
cardholder  data  is  protected  in  conformance 
w ith  the  Security  Standards. 


To  ensure  cardholder  data  is  adequately  pro- 
tected, State  agencies  should: 

• Ensure  it  protects  data  in  conformance 
w ith  PCI  Data  Security  Standards  if  it 
stores,  processes  or  transmits  cardholder 
data. 

• Obtain  security  assurance  documenta- 
tion, at  least  annually,  from  any  service 
prov  ider  it  uses,  to  conlirm  their 
compliance  with  PCI  Data  Security 
Standards. 

If  personal  information  is  disclosed,  the 
notification  requirements  of  the  Personal 
Information  Protection  Act  would  apply.  H 


NEW  RISK  ASSESSMENT 
AUDITING  STANDARDS 

The  AICPA’s  Auditing  Standards 
Board  (ASB)  has  issued  eight 
Statements  on  Auditing  Standards 
relating  to  the  assessment  of  risk  in  an 
audit  of  financial  statements.  These 
new  statements,  SAS  No.  104  through 
SAS  No.  Ill,  will  be  effective  for 
audits  of  financial  statements  for 
periods  beginning  on  or  after 
December  15,  2006.  The  Statements 
establish  standards  and  provide 
guidance  concerning  the  auditor’s 
assessment  of  the  risks  of  material 
misstatement  (whether  caused  by 
fraud  or  error)  in  a financial  statement 
audit;  design  and  performance  of 
tailored  audit  procedures  to  address 
assessed  risks;  audit  risk  and 
materiality;  planning  and  supervision; 
and  audit  evidence. 

The  primaiy  objectives  of  these 
Standards  are: 

• A more  in-depth  understanding  of 
the  entity  and  its  environment, 
including  its  internal  control. 

• A more  rigorous  assessment  of 
the  risks  of  where  and  how  the 
financial  statements  could  be 
materially  misstated. 

• Improved  linkage  between  the 
auditor’s  assessed  risks  and  the 
nature,  timing  and  extent  of  audit 
procedures  performed  in 
response  to  those  risks. 

The  Statements  represent  part  of  the 
ASB’s  ongoing  effort  to  develop 
stronger  and  more  specific  auditing 
standards  that  are  intended  to  enhance 
auditor  perfomiance  and  to  improve 
audit  effectiveness.  ■ 


ASSESSING  NEW  ACCOUNTING  STANDARDS 


Over  the  past  several  years.  State  agencies 
have  had  to  implement  various  new 
accounting  standards  issued  by  the 
Governmental  Accounting  Standards  Board 
(GASB).  In  implementing  these  standards, 
agencies  have  encountered  a variety  of 
issues  that  often  negatively  impacted  the 
financial  reporting  process,  such  as  delays 
in  finalizing  financial  reports. 

To  improve  the  financial  reporting 
process,  agencies  should  implement 
formal  policies  and  procedures  for  assessing 
the  effect  future  financial  reporting  changes 
will  have  on  the  agency’s  financial 
reporting  process.  The  policies  should 
address  the  responsibility  for  assessing  the 
impact  of  the  standards,  required  documen- 


tation, and  an  implementation  plan.  The 
appropriate  upper  management  personnel 
should  conduct  a formal  review  and 
approval  of  the  assessment  and  imple- 
mentation plan. 

Such  assessments  should  not  only  include 
GASB  statements  with  future  effective 
dates,  but  also  exposure  drafts.  Agencies 
should  also  periodically  review  current 
GASB  projects  and  the  GASB  technical 
plan  to  determine  the  status  of  items 
that  may  have  a significant  impact  on  the 
Agency’s  financial  reporting  process. 
The  technical  plan,  exposure  drafts  and 
GASB  project  information  are  available  via 
the  “Technical  Issues”  link  on  the  GASB 
web-site  (www.gasb.org).  | 


RECENTLY  ISSUED  GASB  STATEMENTS 

The  Governmental  Accounting  Standards  Board  (GASB)  has  issued  the  following 

Statements  that  are  applicable  to  the  FY06  audit  period: 

• GASB  Statement  No.  40,  Deposit  ami  Investment  Risk  Disclosures,  an  amendment 
to  GASB  Statement  No.  3.  Effective  for  financial  statements  for  periods 
beginning  after  June  15,  2004. 

• GASB  Statement  No.  42,  Accounting  and  Financial  Reporting  for  Impairment  of 
Capital  Assets  and  for  Insurance  Recoveries.  Effective  for  financial  statements  for 
periods  beginning  after  December  15,  2004. 

• GASB  Statement  No.  44,  Economic  Condition  Reporting:  The  Statistical  Section  - 
an  amendment  ofNCGA  Statement  I.  Effective  for  financial  statements  for  periods 
beginning  after  June  1 5,  2005. 

• GASB  Statement  No.  46,  Net  Assets  Restricted  by  Enabling  Legislation,  an 
amendment  of  GASB  Statement  No.  34.  Effective  for  tlnancial  statements  for 
periods  beginning  after  June  15,  2005. 

• GASB  Statement  No.  47,  Accounting  for  Termination  Benefits.  Eor  benefits 
provided  through  Defined  Benefit  Plans  - implement  with  GASB  Statement 

No.  45,  all  other  tennination  benefits  effective  for  financial  statements  for  periods 
beginning  after  June  15,  2005. 

These  GASB  Statements  are  applicable  to  future  audit  periods: 

• GASB  Statement  No.  43,  Einancial  Reporting  for  Postemployment  Benefit  Plans 
Other  Than  Pension  Plans.  Effective  for  financial  statements  for  periods 
beginning  after  December  15,  2005  (Phase  I government). 

• GASB  Statement  No.  45,  Accounting  and  Einancial  Reporting  by  Emplovers  for 
Postemployment  Benefits  Other  Than  Pensions.  Effective  for  financial  statements 
for  periods  beginning  after  December  15,  2006  (Phase  I government). 


RECENT  FINDINGS  Continued  from  page  4 


Information  Systems 

• No  written  policies  and  procedures  existed  related  to  systems 
development  by  external  developers  and  to  assure  that  all 
systems  were  consistently  developed,  thoroughly  tested,  and 
adequately  documented. 

• An  adequate  and  tested  comprehensive  disaster  contingency 
plan  did  not  exist  to  ensure  critical  computer  systems  can  be 
recovered  in  the  event  of  a disaster. 

• Independent  reviews  of  an  externally  controlled  computerized 
system  were  not  obtained. 

• Procedures  for  the  disposal  of  contidential  information  were 
inadequate. 


Timekeeping/Personnel 

• Prior  approval  of  all  overtime  worked  was  not  documented. 

• Employees’  time  spent  on  official  State  business  was  not 
adequately  documented  as  required  by  the  State  Officials  and 
Employees  Ethics  Act. 

• Employee  performance  evaluations  were  not  conducted  on  a 
timely  basis. 

Vehicles 

• Agency  employees  were  assigned  State  vehicles  without 
documentation  of  a business  need. 

• Adequate  records  for  State  vehicles  assigned  to  employees  w'ere 

not  maintained.  I 
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In  June  2004,  the  Governmental 
Accounting  Standards  Board  (GASB) 
issued  Statement  #45:  Accounting  and 
Financial  Reporting  by  Employers  for 
Posteinployment  Benefits  Other  than 
Pensions,  which  establishes  standards  for 
the  measurement  and  recognition  of  Other 
Post-Employment  Benefits  (OPEB)expen- 
ditures.  Typically,  OPEB  includes  post- 
retirement healthcare  (health,  prescription, 
vision,  and  dental  coverage)  as  well  as  life 
insurance  programs.  Overall,  this  Statement 
will  align  the  recognition  of  these  other 
benefits  with  the  recognition  standards  in 
effect  for  pension/ retirement  plans. 

In  current  practice,  most  OPEB  plans  are 
financed  on  a pay-as-you-go  basis  (paying 
an  amount  equal  to  the  benefits  distributed 
or  claimed  that  year)  and  financial 


statements,  therefore,  do  not  report  the 
financial  effects  of  OPEB  until  the  costs  of 
the  benefits  are  actually  paid.  Fuilhermore, 
most  governments  typically  report  only 
their  cash  outlays  for  OPEB  in  a given  year 
rather  than  the  cost  to  the  employer  of 
OPEB  attributed  to  services  received  in  that 
year  from  employees. 

Under  the  new'  standard,  governmental 
entities  will  be  required  to  report  annual 
OPEB  costs,  based  on  actuarial  studies,  for 
the  first  time.  Governmental  entities  will 
need  to  utilize  actuaries  in  order  to 
detennine  required  annual  OPEB  payment 
amounts,  known  as  an  annual  required  con- 
tribution, based  on  a number  of  factors 
including  the  number  of  retirees  and  any 
past  unfunded  amounts.  If  the  annual 
required  contribution  is  not  paid,  the 


government  will  have  to  recognize  a liabil- 
ity known  as  a ‘net  OPEB  obligation"  in  its 
government-wide  financial  statements. 

The  net  OPEB  obligation  amount  can 
increase  rapidly  over  time  if  the  amounts 
paid  for  OPEB  are  less  than  the  annual 
required  contribution.  In  addition  to 
requiring  financial  statement  changes,  the 
standard  requires  a number  of  new  footnote 
disclosures  to  the  government-wide 
financial  statements  including  plan  descrip- 
tions, funding  policies,  annual  OPEB  costs 
and  information  about  the  funded  status  of 
the  plan. 

GASB  #45  is  effective  for  the  State  of 
Illinois'  financial  statements  beginning  in 
FY08.  Additional  infomiation  about  GASB 
Statement  #45  can  be  found  at  GASB’s 
website  (ww'w.gasb.org).  | 


RECENT  AUDIT  FINDINGS 


One  of  the  purposes  of  the  Audit  Advisory  is  to  infonn  agency 
managers  of  findings  that  are  occurring  at  other  agencies,  so  that 
action  can  be  taken  to  correct  these  matters  before  they  become 
problems  at  your  agency.  The  following  are  some  findings  in  audits 
released  by  the  Office  of  the  Auditor  General  in  2006  that  address 
issues  that  many  agencies  face. 

Contracts: 

• Written  contracts  w'ere  not  timely  e.xecuted  after  the  announce- 
ment of  the  awards;  vendors  were  allowed  to  initiate  work 
without  a formal  w ritten  agreement  in  place. 

• Infomiation  on  subcontractors  was  not  included  in  the  contract. 

• Notice  of  contracts  awarded  to  a vendor  that  was  not  the  lowest 
priced  proposer  was  not  published  in  the  Procurement  Bulletin  as 
required  by  the  Procurement  Code  for  professional  and  artistic 
contractors. 

• Professional  services  contracts  in  excess  of  $20,000  were  not  bid. 


• Certain  contracts  and  leases  were  not  filed  as  required  with  the 
State  Comptroller’s  Office. 

• All  required  certifications  were  not  included  in  State  contracts. 

• Documentation  to  adequately  support  payments  made  to  contrac- 
tors was  not  obtained  and  maintained,  and  expenditures  submitted 
for  payment  were  not  adequately  reviewed. 

Financial  Reporting 

• Support  for  amounts  reported  in  its  Generally  Accepted 
Accounting  Principles  (GAAP)  packages  was  not  provided 
timely  and  some  estimated  amounts  ditfered  materially  from 
actual  amounts. 

• Reconciliation  of  expenditure  and  fund  records  to  the  Illinois 
Office  of  the  Comptroller  records  was  not  timely  or  accurate. 

• Weaknesses  existed  in  procedures  related  to  reviewing  final  grant 
expenditures  reported  by  providers  and  the  subsequent  recover) 
of  unspent  grant  funds. 
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• lies  Park  Plaza,  740  East  Ash  Street 
Springfield,  Illinois  62703-3154 

• Michael  A.  Bilandic  Building, 

160  N.  LaSalle  Street,  Suite  S-000 
Chicago,  Illinois  60601-3109 
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